Hi,
I have gone through all my code again and I think I must be close, I cannot think of much more I can do.
I have taken point about processing data only when it is required pointed out to me by kaisellgren.. Thanks
I hence would like to post my code:
a) So that it can be ripped apart and improved, and
b) so anyone can use it who would like to.
c) I can find out what my mistakes are
I would appreciate it if someone can go through it and tell me my mistakes and also if there are any improvments I could do.
General comments anything constructive.
I have included a zip of all my code, if you use it you will need to update the db.inc file and insert into the DB the data from title.sql used for the dropdown menu. I am on XAMPP on windowsXP
Kind Regards
Stephen
page_header.php
Code: Select all
<?php
// Tell PHP to work in UTF-8 mode
mb_internal_encoding( 'UTF-8' );
// Inform browser we are sending data in UTF-8
header('Content-Type: text/html; charset=UTF-8');
// We are submitting a form so not Cache please
header("Cache-control: private");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
index.php
Code: Select all
<?php
if (!session_id()){ session_start(); }
// The following 7 php statments are not needed for this example but will be required for when we insert the UTF8 into a mysql DB
// Start by including
include("db.inc");
include("error.inc");
// make a UTF-8 connection to the database NOT PREPREP
if (!($connection = mysql_connect($hostName, $username, $password))) die("Could not connect to database");
if (!mysql_query("SET NAMES 'utf8';", $connection)) { echo "SET NAME ERROR"; }
if (!mysql_set_charset('utf8',$connection)) { echo "SET CHARACTER ERROR"; }
if (!mysql_selectdb($databaseName, $connection)) { showerror(); }
if ($connection){ mysql_close($connection); }
?>
<?php include "page_header.php" ?>
<?php
include("forms.inc");
if( $_POST['submit'] ) { $msg = validate_registration_form(); }
if($msg != 1) {
display_registration_form($msg);
} else {
echo "You submited the Following Data, please confirm it is OK<br>";
foreach ($_POST as $key => $value) {
echo encode_output_registration_form($key) . "=" . encode_output_registration_form($value) . "<br>";
}
}
?>
<?php
include("dumps.inc");
include "page_footer.php"
?>
form.inc
Code: Select all
<?php function display_registration_form($msg=NULL) {
include("dropdown.inc");
?>
<style type="text/css">
body { font: 14px Georgia, serif; }
form { width:350px; text-align:left; -moz-border-radius:15px 15px 15px 15px; -moz-box-shadow:0 0 10px #333333; border:3px solid blue; padding:10px;}
fieldset ol { list-style: none; }
label { display: block; color:#7C6767; font-size:14px; }
input, select { border-color:#EEEEEE #CCCCCC #CCCCCC #EEEEEE; border-right:1px solid #CCCCCC; border-style:solid; border-width:1px; font-size:12px; margin:0 0 15px; padding:5px; width:250px;}
input[type="text"]:focus, input[type="password"]:focus { border-color:#555555; background-color: #efefef;}
input:hover { border-color: blue; border-width: 1px; border-style: solid; }
span.error { color:red; font: 10px Georgia, serif;}
div.securitycode { text-align:left; }
</style>
<form class="standard-form" name="registration" action="" method="post" accept-charset="UTF-8" enctype="application/x-www-form-urlencoded">
<fieldset>
<legend>Registration Form</legend>
<span class="error"><?php if(!empty($msg)){ echo "Following errors occurred:<br>$msg<br>"; } ?></span>
<ol>
<li>
<label for="Username">UserName</label>
<input name="UserName" type="text" size="12" value="<?php if(isset($_POST['UserName'])){ echo encode_output_registration_form($_POST['UserName']); } ?>">
</li>
<li>
<label for="Title">Title</label>
<?php $intIdField = "TitleID"; $strNameField = "Title"; $strTableName = "title"; $strOrderField = "TitleID"; $strNameOrdinal = "Title"; $strMethod="asc"; $selectedVal=encode_output_registration_form($_POST['Title']); dropdown($intIdField, $strNameField, $strTableName, $strOrderField, $strNameOrdinal, $strMethod, $selectedVal);?>
</li>
<li>
<label for="FirstName">FirstName</label>
<input name="FirstName" type="text" size="40" value="<?php if(isset($_POST['FirstName'])){ echo encode_output_registration_form($_POST['FirstName']); } ?>">
</li>
<li>
<label for="Lastname">LastName</label>
<input name="LastName" type="text" size="40" value="<?php if(isset($_POST['LastName'])){ echo encode_output_registration_form($_POST['LastName']); } ?>">
</li>
<li>
<label for="email">Email</label>
<input name="Email" type="text" size="40" value="<?php if(isset($_POST['Email'])){ echo encode_output_registration_form($_POST['Email']); } ?>">
</li>
<li>
<label for="password">Password</label>
<input name="Password" type="password" size="40" />
</li>
<li>
<label for="password">Confirm Password</label>
<input name="Password2" type="password" size="40">
</li>
<li>
<label for="securitycode">Please Type in this Security Code:</label><div class="securitycode"><img src="gencap.php"></div>
<input name="securitycode" type="text" size="6">
<input type="hidden" name="form_token" value="<?php if (!session_id()){ session_start();} ; $_SESSION['form_token'] = md5( uniqid('auth', true) ); echo $_SESSION['form_token']; ?>" />
<input name="submit" type="submit" value="Register">
</li>
</ol>
</fieldset>
</form>
<?php } ?>
<?php function encode_output_registration_form($string) {
// Set utf8 type
setlocale(LC_CTYPE, 'en_US.UTF-8');
// only allows well formed Unicode and rejects overly long 2 byte sequences, as well as characters above U+10000).
$strings = preg_replace('/[\x00-\x08\x10\x0B\x0C\x0E-\x19\x7F]'.
'|[\x00-\x7F][\x80-\xBF]+'.
'|([\xC0\xC1]|[\xF0-\xFF])[\x80-\xBF]*'.
'|[\xC2-\xDF]((?![\x80-\xBF])|[\x80-\xBF]{2,})'.
'|[\xE0-\xEF](([\x80-\xBF](?![\x80-\xBF]))|(?![\x80-\xBF]{2})|[\x80-\xBF]{3,})/S',
'?', $strings );
//The second preg_replace() removes overly long 3 byte sequences and UTF-16 surrogates.
$strings = preg_replace('/\xE0[\x80-\x9F][\x80-\xBF]'.
'|\xED[\xA0-\xBF][\x80-\xBF]/S',
'?', $strings );
$string = iconv('UTF-8', 'UTF-8//IGNORE', $string);
// Decode strip
$string = html_entity_decode($string, ENT_QUOTES,"UTF-8");
// stip <> and () just in case of XSS or other strange reasons
$string = preg_replace('/[\<\>\(\)]/', ' ', $string);
// "<script>alert("xss")</script>\ the following line blockes XSS attack
$string = htmlentities($string, ENT_QUOTES,"UTF-8");
return($string);
}
?>
<?php function validate_registration_form() {
//encode as per output to browser
foreach ($_POST as $key => $value) {
$_POST[$key] = encode_output_registration_form($value);
$_POST[$key] = html_entity_decode($value, ENT_QUOTES,"UTF-8");
}
// test UserName ,[A-Za-z0-9_] between 4 and 20 chars, lowercase ASCII
// SHOULD NOT BE UTF-8
if (!filter_has_var(INPUT_POST, 'UserName')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - UserName.</li>"; }
if (!filter_var($_POST["UserName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/^[a-zA-Z0-9_]+$/")))){ $msg .= "<li>* Your UserName must only use ASCII Letters, Numbers, or Underscore(_).</li>"; }
if (strlen( $_POST["UserName"]) > 20 || strlen($_POST["UserName"]) < 4) { $msg .= "<li>* Your UserName need to be between 4 and 20 Charicters in length.</li>"; }
// test Title ,number, length 3, between 001 and 010
// will be an INT
if (!filter_has_var(INPUT_POST, 'Title')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Title.</li>"; }
if(!filter_var($_POST["Title"], FILTER_VALIDATE_INT,array("options"=>array("min_range" => 1, "max_range" => 10)))){ $msg .= "<li>* Please select your title.</li>"; }
// test FirstName ,NO number, between 3 and 30 chars, NOTE names like O'Neal should be OK
// THIS IS UTF-8
if (!filter_has_var(INPUT_POST, 'FirstName')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - FirstName.</li>"; }
if (mb_strlen( $_POST["FirstName"]) > 30 || mb_strlen($_POST["FirstName"]) < 3) { $msg .= "<li>* Opps..It's a problem with you First name.</li>"; }
if (!filter_var($_POST["FirstName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/[0-9<>-_¬@!£$%^]/")))){ $msg .= "<li>* Your FirstName must only use Letters UTF-8 is fine.</li>"; }
// test LastName ,NO number, between 3 and 30 chars, NOTE names like O'Neal should be OK
// THIS IS UTF-8
if (!filter_has_var(INPUT_POST, 'LastName')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - LastName.</li>"; }
if (mb_strlen( $_POST["LastName"]) > 30 || mb_strlen($_POST["LastName"]) < 3) { $msg .= "<li>* Opps..It's a problem with you Last name.</li>"; }
if (!filter_var($_POST["LastName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/[0-9<>-_¬@!£$%^]/")))){ $msg .= "<li>* Your LastName must only use Letters.</li>"; }
// test Email , between 6 and 50 chars, lowwercase, validate, lowercase
// NOT UTF-8
if (!filter_has_var(INPUT_POST, 'Email')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Email.</li>"; }
//convert and make sure it is ACSII only
$_POST["Email"] = utf8_decode($_POST["Email"]);
if (strlen($_POST["Email"]) > 50 || strlen($_POST["Email"]) < 6) { $msg .= "<li>* Your Email address seems to be very long (or to short).</li>"; }
if (!filter_var($_POST["Email"], FILTER_VALIDATE_EMAIL)){ $msg .= "<li>* Please retype you email address, we will email you to validate your account so it needs to be correct.</li>"; }
// NEED to limit chars
// test Passwords x2 , between 6 and 50 chars, identical, upper and lower case sensitive,
// can be UTF-8
if (!filter_has_var(INPUT_POST, 'Password')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Password.</li>"; }
if (!filter_has_var(INPUT_POST, 'Password2')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Password2.</li>"; }
if (mb_strlen( $_POST["Password"]) > 50 || mb_strlen($_POST["Password"]) < 6) { $msg .= "<li>* Your Password must be between 6 and 50 characters long.</li>"; }
if( $_POST["Password"] != $_POST["Password2"]) { $_POST['Password'] = $_POST['Password2'] = NULL; $msg .= "<li>* Your passwords do not match.</li>"; }
// test form_token , session form_token identical, clean out token
if (!filter_has_var(INPUT_POST, 'form_token')){ $msg .= "<li>* Please use the Registration Form - form_token.</li>"; }
if (ctype_alnum($_POST['form_token']) != true) { $msg .= "<li>* form_token Error, IP logged.</li>"; }
if( $_POST['form_token'] != $_SESSION['form_token']) { $msg .= "<li>* We have detected an abnormal attempt to register, probably you have taken too long to fill out the register form, You will need to submit it again.</li>"; }
unset( $_SESSION['form_token'] );
// test CAPTCHA
if (!filter_has_var(INPUT_POST, 'securitycode')){ $msg .= "<li>* Please fill in the security code.</li>"; }
if(strlen($_POST['securitycode']) != 5) { $msg .= "<li>* The security code has five characters</li>"; }
if (ctype_alnum($_POST['securitycode']) != true) { $msg .= "<li>* Security code Error, Wrong characters.</li>"; }
if( md5(strtoupper($_POST['securitycode'])) != $_SESSION['rndnum']) { $msg .= "<li>* Opps Wrong Security Code.</li>"; }
unset( $_SESSION['rndnum'] );
// test form_submit is Register and clean out
if (!filter_has_var(INPUT_POST, 'submit')){ $msg .= "<li>* Please use the Registration Form - submit.</li>"; }
if( $_POST['submit'] != "Register") { $_POST['submit'] = NULL; $msg .= "<li>* Please use our form to register.</li>"; }
if(!empty($msg)) {
$msg = "<ol>" . $msg . "</ol>";
return($msg);
}
else {
return(1);
}
}
?>